fsck damaged files? some problems now

[Tweak]

19-12-11 i recieved a message from xs4all, that our webserver is "hacked" it was attacking other servers on port 22? i placed a drop rule for everything on iptables, so i could look what was going on... (i forgot why, but i needed to reboot) then everything went wrong, fsck told me it needs to scan... it was olmost finished and it crashed and told me to do it manually, allot of stuff i needed to do, but its oke now i think. and after it was booted fine again /etc/init.d/exim was gone??? + proftpd and apache was not able to start.. a lib was gone. so i ran the scripts in the DA scripts folder like exim.sh and apache custombuild.

i thougt pfew everything is working fine now.. but some domains are not working anymore, 1 domain i already fixed the .db file was gone, so i opent one and changed the domain etc and saved it..

now i get on 2 domains "apache is function normally" what is wrong with these domains? when i log in to DA and look at the user, it says Error on bandwith usage etc.

and maybe someone can help me but i cant find the hacked stuff? chrootkit and rkhunter looks ok, there is only 1 thing i found there was a user with viagra html files and a php script to send mail spam.. i looked in the auth log and i saw someone logging in on that user with ftp and placed that files.. that happened on 19-12-11 when xs4all gived the warning. i removed the files and changed user pass

please help

 

[zEitEr]

I could take a look, PM me for a quote, if you're interested. Or look at advertising sub-forum, as there you can find some other guys, who could help you.

 

[NoBaloney2]

19-12-11 i recieved a message from xs4all, that our webserver is "hacked" it was attacking other servers on port 22? i placed a drop rule for everything on iptables, so i could look what was going on... (i forgot why, but i needed to reboot) then everything went wrong, fsck told me it needs to scan... it was olmost finished and it crashed and told me to do it manually, allot of stuff i needed to do, but its oke now i think.

Unless it's not. fsck can certainly be used to make changes which fix the file integrity at the expense of deleting files which the system needs.

I'd strongly recommend you have someone look at your server; it's possible (perhaps reasonable) that you need to do a complete reinstall, or even need a new drive.

Jeff

 

[Tweak]

Jeff, thnx for your response, i dont think the disks are damaged, the software raid is still oke and everything worked fine until the reboot.. i think i made a mistake with fsck i started a manual scan on the disk when it was mounted... so i think the files are damaged because of that.

and the only thing that is broken now is 2 domains can you tell me what to do? where do i need to look for the domains that say "apache is function normally"

 

[NoBaloney2]

I never meant to imply that the drives are damaged. The purpose of fsck is to fix a file system which could easily become damaged overtime; that's why fsck comes up from time to time. If the automatic fsck didn't work, then that's proof there was some file system damage. And then, you could easily damage the file system structure by your answers to the questions that fsck asks. I've been using fsck for many years, and I still pronounce it the same way as I would if the second letter was a certain vowel .

If the domains come up with Apache is functioning normally and you google this forum you should probably find some discussions on where to look.

Google search:

 apache is functioning normally site:www.directadmin.com

You'll probably find this post as well as others.

Jeff

 

[Tweak]

Thnx, all is fixed now pfew. there was a user with allot of conf's corrupted.. and with google i found /usr/local/directadmin/scripts/fix_da_user.sh

damn i love directadmin, everything is easy to fix!!